[Snort-sigs] Rule message change 27875
Joel Esler (jesler)
jesler at ...3865...
Wed Jan 8 15:55:45 EST 2014
On Jan 8, 2014, at 2:22 PM, Joseph Cooper <joseph.cooper at ...3872...<mailto:joseph.cooper at ...3872...>> wrote:
I was wanting your opinions and checking to see if we could get the msg for this rule changed. The rule doesn’t actually look for DotCachef itself, but for JJEncoding, which a lot of software and ad sites are starting to use.
Having the rule message state it is an Exploit-Kit has caused fellow analysts to continuously look for what is not there, and I feel a change would be beneficiary to all.
Let me know what you think :)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:",$$$$|3A|(!+|22 22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27875; rev:1; )
Sounds good, I’ll adjust it to something more appropriate.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs